Account missuse

I'm trying to create an alert and report for situation where a user is changing his privileges by impersonating another user/account. We have alert/ on users going in as a service account or misusing a colleagues account.

I was hoping to use a query as usr.src != usr.dst but this does not seem to work as the syntax does not allow this

Unfortunately, when working with queries, you can't do a comparison of two keys. They would have to be against values like "user.src = 'jsmith' && user.dst !='jsmith'".

However, you could do this with a Lua parser to compare the values. Please note there may be legitimate reasons for this activity such as when accounts get created, etc. Furthermore, usernames might come across differently based on the event sources. Some logs may have the full domain such as 'EVILCORP\jsmith' or 'jsmith@evilcorp.com'. Some may have the source in one format and the dest in another.

Below is a quick parser that I wrote up after reading the post. It would need to be tested first to see if it lines up with your use-cases. Would likely need to be tuned to your environment but could be something to get you started.

-- Step 3 - Define tokens that get you close to what you want-- declare what tokens and events we want to match. -- These do not have to be exact matches but just get you close to the data you want.lua_account_diff:setCallbacks({ [nwevents.OnSessionBegin] = lua_account_diff.sessionBegin, [nwlanguagekey.create("user.src", nwtypes.Text)] = lua_account_diff.userSRC, [nwlanguagekey.create("user.dst", nwtypes.Text)] = lua_account_diff.userDST, })

If you have ESA and are at 10.6.3+ then you can use a comparison between two values to get what you are looking for.

In the ESA Alert window when you create rule entries you can use the correlation type and then add the two meta values to compare in the following two columns to get the comparison that you are looking for.